Cyber and Information Security Specialist

About The Role

We are looking to appoint a highly experienced cyber and information security specialist to join our growing business.

Mayden has a flat management structure and a coaching culture, with team members working together and supporting one another to make things happen. This means that job titles can look a little different, but also means our roles focus on people being able to combine what they are good at, and how they want to grow, with helping fulfil our purpose to transform health and care, together.

We are looking for a conscientious, personable and knowledgeable leader, preferably with commercial experience of working with the public sector. You may already be operating at CISO level in a small company, or have ambitions to reach the next level in your career.

Mayden's flagship patient management system, iaptus, is used by more than 200 mental health services in the UK, Australia and Canada. Theseus, our case management system for addiction and healthy lifestyle services supports over 40 customers. We also provide systems for private practitioners and both patient and clinician facing features that are widely used across over 8 million patient records and counting.

We are passionate about delivering impactful healthcare software and we are proud to hold ourselves to the highest standards in regards to compliance and regulation. You will play a key role in ensuring that the delivery of our products and services meets those standards and will also work to respond proactively to new and evolving expectations.

We use the Scrum framework to drive product delivery, quality and success, so an appreciation of agile working is beneficial.

Key responsibilities:

• Develop and implement our security strategy: Design, implement and maintain a comprehensive security strategy, roadmap, and policies to support business objectives, future growth ambitions and product lines.
• Compliance: Ensure the company's security posture meets the requirements of the NHS Data Security and Protection Toolkit (DSPT), Cyber Essentials Plus, ISO27001:2022 and other relevant frameworks.
• Risk management: Lead the information security risk management program, including identification, assessment, mitigation, and monitoring of information security risks across all systems, applications, and operations.
• Policy and procedure development: Support and oversee the creation, review, and enforcement of information security policies, standards, procedures, and guidelines covering all aspects of security including data handling, access control, incident response, and supplier risk.
• Security architecture and engineering: Support and oversee the secure design, implementation, and maintenance of secure software development lifecycles (SDLC) and secure system architectures for all products and business systems.
• Incident response and management: Develop, implement, and manage the information security incident response plan, including detection, analysis, containment, eradication, recovery, and post-incident review, supporting timely reporting to relevant authorities (eg ICO, NHS England) where required.
• Vulnerability management and testing: Own, support and oversee programs for vulnerability scanning, penetration testing, and security audits of applications and infrastructure to identify and address security weaknesses.
• Security awareness and training: Support and oversee development and delivery of comprehensive information security awareness and training programs for all employees, ensuring Mayden's culture strongly embeds security at its core.
• Supplier security assurance: Implement and manage a robust supplier security risk assurance framework, assessing and monitoring the security posture of suppliers, partners, and subcontractors who handle company or patient data.
• Regulatory compliance and audit: Support the Data Protection Officer in ongoing compliance with all applicable UK and EU data protection laws (e.g. GDPR, Data Protection Act 2018), industry standards, and regulatory requirements.
• Security monitoring operations: Support and oversee the day-to-day security monitoring operations, including log analysis, threat intelligence, and SIEM management.
• Leadership and mentoring: Provide strong leadership to the governance, risk and compliance team and mentor the professional growth and development of security staff.
• Threat intelligence: Stay up to date with the latest cyber security threats, vulnerabilities, technologies, and best practices relevant to the health sector and the wider technology landscape.

Skills and Experience:

Essential:

• Extensive security leadership: Proven experience (10+ years) in a senior information security role, with significant experience in a CISO or equivalent position within a software development or health technology environment
• UK health sector experience: In-depth knowledge and practical experience with UK healthcare security standards and regulations, including demonstrable expertise with the NHS Data Security and Protection Toolkit (DSPT), Digital Technology Assessment Criteria (DTAC) and NCSC CAF.
• ISO 27001:2022 implementation & maintenance: Hands-on experience with the successful implementation, certification, and ongoing maintenance of an ISO 27001 Information Security Management System (ISMS), ideally to the 2022 standard.
• Security architecture & Secure by Design: Strong understanding and experience of secure software development lifecycles (SDLC) and embedding security by design into product development processes, along with secure system architecture principles.
• Risk management: Demonstrated expertise in developing, implementing, and managing information security risk management frameworks, including risk assessment methodologies (eg OCTAVE, FAIR).
• Incident response: Proven track record in developing, leading, and managing security incident response plans, including experience with major incident handling and communication with regulatory bodies (eg NCSC, ICO, NHS England).
• Policy & governance: Extensive experience in developing, implementing, and enforcing comprehensive information security policies, standards, and procedures.
• Regulatory compliance: Solid understanding of UK and EU data protection laws (eg GDPR, Data Protection Act 2018), NIS Directive, and their practical application within a health tech context.
• Stakeholder management: Excellent communication, influencing, and negotiation skills with the ability to articulate complex security concepts to technical and non-technical stakeholders, including senior leadership, product teams, and external partners.
• Team leadership & mentoring: Proven ability to lead, mentor, and develop a high-performing governance, risk, and compliance (GRC) team.
• Vulnerability management: Experience scoping, overseeing and interpreting the results of vulnerability scanning, penetration testing, and security audits.

Desirable:

• Cloud Security Expertise: Experience securing cloud-native applications and infrastructure (eg AWS, GCP), including knowledge of cloud security best practices and compliance frameworks
• Certifications: Relevant industry certifications such as CISSP, CISM, CISA, ISO 27001 Lead Implementer/Auditor, or similar.
• Supplier Security Management: Experience in conducting due diligence and ongoing monitoring of third-party security posture, specifically SaaS.
• Threat Intelligence: Experience in leveraging threat intelligence to proactively identify and mitigate security risks.
• Agile Development Environments: Experience working within Agile software development environments.
• Data Privacy Officer Collaboration: Previous experience working closely with or supporting a Data Protection Officer (DPO).

Benefits

We offer exciting opportunities to learn new skills, and an excellent package of benefits including:

• life assurance
• private health insurance
• Pension (enhanced after successful completion of probation)
• personal training and conference budget
• onsite gym
• parking, including EV charging points
• 25 days annual leave plus bank h olidays (with the option to buy or sell annual leave after probation is completed)

Hours and Location

The position is for a full time member of our team, 37.5 hours, Monday - Friday, 9am to 5pm.

Collaboration is one of our four company values - we work best together. We believe there is significant benefit from working face to face when doing so. At the same time, some work may be carried out just as effectively alone and away from the office. We have therefore created a flexible 'place of work' policy that asks everyone to be where the work of the day is best completed and overall spend enough time in the office with others to maintain relationships and communication.

This means there are no fixed days, or number of days, when you should be in the office or can work at home. In any given week you may need to work from the office everyday or no days! It all depends on the work being done and you are expected to be flexible. Many people find this approach means they work in the office 3 or more days a week but this varies according to role and the work they have to do.

Our Place of Work policy is available on request.

The role involves occasional travel.

You must be eligible to live and work in the UK. This role is not eligible for sponsorship by Mayden for a skilled worker visa . click apply for full job details